US20060265570A1 - Secured coprocessor comprising means for preventing access to a unit of the coprocessor - Google Patents

Secured coprocessor comprising means for preventing access to a unit of the coprocessor Download PDF

Info

Publication number
US20060265570A1
US20060265570A1 US11/398,857 US39885706A US2006265570A1 US 20060265570 A1 US20060265570 A1 US 20060265570A1 US 39885706 A US39885706 A US 39885706A US 2006265570 A1 US2006265570 A1 US 2006265570A1
Authority
US
United States
Prior art keywords
coprocessor
command
signature
execution
register
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/398,857
Other versions
US7934265B2 (en
Inventor
Frederic Bancel
Nicolas Berard
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMicroelectronics SA
Original Assignee
STMicroelectronics SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by STMicroelectronics SA filed Critical STMicroelectronics SA
Assigned to STMICROELECTRONICS S.A. reassignment STMICROELECTRONICS S.A. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BANCEL, FREDERIC, BERARD, NICOLAS
Publication of US20060265570A1 publication Critical patent/US20060265570A1/en
Application granted granted Critical
Publication of US7934265B2 publication Critical patent/US7934265B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/28Error detection; Error correction; Monitoring by checking the correct order of processing

Definitions

  • the present disclosure generally relates to the protection of integrated circuits, such as integrated circuits for smart cards, against attacks by error injection.
  • the present disclosure relates more particularly but not exclusively to a method for monitoring the execution by a coprocessor of commands sent in particular by a microprocessor, as well as an integrated circuit comprising a coprocessor comprising means for monitoring the execution of commands.
  • a coprocessor is a specific component designed to perform calculations particularly to offload the microprocessor to which it is coupled. It is generally driven by the microprocessor which communicates with it through registers to load calculation data, to configure it and finally to retrieve the results of the calculations and to be informed of the end of the calculations.
  • a coprocessor generally comprises a control block comprising an interface with the data bus of the microprocessor and a state machine pacing the progress of the calculations, and a calculation unit controlled by the control block (also called “data path”).
  • coprocessors are particularly used to perform cryptographic calculations, and thus handle secret keys. These coprocessors are therefore the targets of attacks aiming to discover these keys.
  • the detection of error injections is considered one important measure to guarantee a high level of security to certain integrated circuits, particularly integrated circuits for smart cards.
  • a method for monitoring the execution of a program is already known, particularly through EP 1,161,725, which involves producing cumulative signatures that vary according to the codes-instructions that run in the instruction register of a microprocessor. Such a method enables a derailment of the program being executed, particularly due to an error injection, to be detected.
  • Techniques for detecting an attack on a coprocessor do exist.
  • One of these techniques involves running several times the calculation to be performed corresponding to the command received, then comparing the results obtained. If these results are identical, it can be deduced that no attack has occurred. In this way, to make a successful attack, the error injection must be repeated several times, and in an identical manner in terms of its effects and temporal aspects. This technique multiplies the calculation times by the number of iterations, which is a major disadvantage. Further, if an error is highlighted in connection with the state of a state machine, the injection of a fault can result in skipping a state, and thus in masking the error.
  • Another technique involves providing an additional fault injection detection logic circuit.
  • the calculation unit that has no deterministic properties since the data processed are not predictable, redundant data paths are provided and the identity of the signals in the redundant paths is compared on the fly. The detection of a difference between two redundant signals triggers the activation of an error signal.
  • the control block which has a deterministic aspect, a signature circuit is used which calculates a signature, throughout the operation performed by the coprocessor, using certain control signals controlling the calculation unit. At the end of the calculation, the calculated signature is compared with an expected value and, if a difference is detected, revealing a fault injection, an alert signal is activated. Now, the comparison, whether performed by software or by a circuit, can be bypassed by an appropriate fault injection. This technique thus has a flaw.
  • Embodiments of the present invention aim to overcome these disadvantages.
  • a first embodiment of the present invention puts the coprocessor into an error mode by default as soon as the execution of a command begins, and maintains the error mode while the smooth execution of the command is not confirmed, including when the execution of the command is finished if it has not taken place as expected.
  • Another embodiment of the present invention prevents access to certain units of the coprocessor while the error mode is present.
  • An embodiment of the present invention is indeed based on the observation that a voluntary fault injection is generally accompanied by access to “sensitive” units of the coprocessor, such as an output register for example, which enables the fraudor to observe the effects of the fault injection and to deduce information about the coprocessor or secret data it uses therefrom.
  • one embodiment of the present invention provides a method for monitoring the execution of a command by a coprocessor, comprising:
  • the unit to be protected comprises at least one register of the coprocessor.
  • the register is read protected.
  • the register is read protected by supplying the output of the register with dummy binary data bearing no relation to the content of the register, in response to a request to read the register.
  • the method comprises producing, in synchronization with a clock signal, current cumulative signatures, each current cumulative signature varying according to a previous cumulative signature and to deterministic logic signals taken off in the coprocessor, until a final cumulative signature is obtained at the end of the execution of the command, and maintaining the error signal on the active value when the cumulative signature is different from an expected signature.
  • the production of the signatures is paced by a clock signal of the coprocessor, one current cumulative signature being produced at each clock cycle during the execution of the command.
  • the deterministic logic signals comprise control signals produced by a control unit of the coprocessor.
  • the cumulative signatures are calculated by a linear feedback shift register.
  • the expected signature is read in a dedicated register of the coprocessor.
  • the expected signature is selected from a plurality of expected signatures each corresponding to a command executable by the coprocessor.
  • An embodiment of the present invention also relates to a coprocessor comprising a calculation unit for executing a command, a securisation device for monitoring the execution of the command and producing an error signal having an active value as soon as the execution of the command begins, and an inactive value at the end of the execution of the command unless any abnormal progress in the execution of the command has been detected, and protection means for preventing access to at least one unit to be protected of the coprocessor, while the error signal is on the active value.
  • the protection means are arranged for preventing access to at least one register of the coprocessor.
  • the protection means are arranged for preventing read access to at least one register of the coprocessor.
  • the protection means comprise means for supplying the output of the register with dummy binary data bearing no relation to the content of the register, in response to a request to read the register.
  • the securisation device comprises a signature calculation circuit receiving at input deterministic logic signals taken off in the coprocessor and producing a current cumulative signature according to the deterministic logic signals and to a previous cumulative signature, until a final cumulative signature is obtained at the end of the execution of the command, and comparison means for comparing the current cumulative signature and an expected signature, taking the error signal to the active value when the current cumulative signature is different from the expected signature.
  • the coprocessor comprises a control unit producing the control signals, and the deterministic logic signals comprise control signals produced by the control unit.
  • the signature calculation circuit is paced by a clock signal and calculates a current cumulative signature at each clock cycle.
  • the signature calculation circuit comprises a linear feedback shift register.
  • the coprocessor comprises a dedicated register for storing the expected signature.
  • the coprocessor comprises means for selecting the expected signature from a plurality of pre-recorded expected signatures each corresponding to a command executable by the coprocessor.
  • FIG. 1 schematically represents one example architecture of a microprocessor integrated circuit comprising a coprocessor
  • FIG. 2 is a more detailed view, in the form of a block diagram of an example coprocessor comprising a securisation device according to an embodiment of the present invention
  • FIG. 3 represents an example of an embodiment of the securisation device
  • FIG. 4 represents an embodiment of an element of the securisation device in greater detail.
  • FIG. 1 represents one example architecture of an integrated circuit IC of the microprocessor or microcontroller type.
  • the integrated circuit IC classically comprises a central processing unit CPU and peripheral elements of the CPU, here memories MEM 1 , MEM 2 , MEM 3 , a register bank REGBANK, and a coprocessor CP, dedicated for example to cryptographic calculation.
  • the memory MEM 1 is for example a non-volatile memory of ROM type (read-only memory)
  • the memory MEM 2 is an electrically erasable and programmable memory of EEPROM type
  • the memory MEM 3 a volatile memory of RAM type.
  • the peripheral elements are linked to the CPU by a data bus DB, an address bus AB and a control bus CB.
  • Control bus can include a set of wires conveying selection or information signals sent by the CPU to the peripheral elements, or vice-versa.
  • the bus CB particularly conveys a read or write signal RW and a signal FETCH sent by the CPU during the reading of a code-instruction in one of the program memories.
  • the coprocessor CP comprises several registers linked to the data bus DB, here input INREG and output OUTREG registers enabling data to be exchanged with the CPU, a register COMREG enabling a command to be executed to be received from the CPU, and a state register STATREG supplying information about the state of the coprocessor.
  • the register STATREG comprises a bit RB (Ready/Busy) enabling the CPU to determine whether the coprocessor is busy or ready to receive a new command to be executed, and a bit RUN enabling the CPU to start the execution of a command once the code of the command has been written in the register COMREG.
  • the coprocessor positions the bit RUN to a determined logic value.
  • the coprocessor positions the bit RB to the “ready” logic state and resets the bit RUN.
  • the CPU can determine when the coprocessor has finished the execution of the command.
  • the coprocessor can be designed to send an interrupt signal ITR when it has finished processing the command, this signal being applied to an interrupt input of the CPU.
  • one embodiment of the coprocessor CP comprises an address decoder ADDEC linked to the address bus AB and supplying selection signals SELREGi for selecting a register according to the address sent on the bus AB, each of these signals being applied to a selection input SEL of one of the registers INREG, COMREG, STATREG, OUTREG.
  • the signal RW is also applied to the registers, to select a read or write access mode.
  • the coprocessor CP also comprises a calculation unit CU driven by a control block FSM.
  • the latter is produced here in the form of a finite state machine paced by a clock signal, such as the clock signal CK of the CPU for example, and is designed to determine a current state according to a previous state and to input signals proceeding for example from the registers COMREG and STATREG.
  • a set of control signals C 1 to C m supplied by the control block FSM corresponds to each state of the control block FSM, these control signals being applied in whole or part to the calculation unit CU.
  • the calculation unit CU processes input data proceeding from the input register INREG according to the control signals C 1 to C m , and delivers output data that are written in registers of the coprocessor such as the output register OUTREG for example.
  • the control block FSM can deliver the interrupt signal ITR to inform the CPU that the processing is finished.
  • the coprocessor CP also comprises a securisation device MU according to one embodiment of the present invention, which monitors the operation of the coprocessor during the execution of a command, so as to detect any abnormal progress in the execution of the command, due in particular to an error injection.
  • the device MU uses for example deterministic signals C i to C i+n taken off from the control signals C 1 to C m supplied by the control block FSM. These signals are deterministic (predictable) in that they only depend on the command being executed by the coprocessor, and thus enable the smooth execution of the command to be monitored.
  • the device MU activates an internal error signal ERS as soon as the execution of the command begins, and deactivates it at the end of the processing of the command, unless any abnormal progress in the execution of the command has been detected.
  • the coprocessor CP also comprises means for preventing access to certain units to be protected while the error signal ERS is active. Access to these units is therefore only possible when the error signal has been deactivated, e.g., at the end of the processing of the command if such processing has taken place normally.
  • the unit to be protected is here the output register OUTREG. More particularly, the register OUTREG is here read protected and this protection is obtained here by providing a scrambling of the data it supplies in response to a read request (resulting in the appearance of the address of this register on the data bus, the activation of the signal SELREGi corresponding to this register by the decoder ADDEC and the fact that the signal RW is on or changes to the “read” value on the control bus).
  • the coprocessor comprises a multiplexer MUX receiving the output of the register OUTREG at one input and at another input dummy binary data bearing no relation to the content of the register, such as random data for example or signals taken off in the coprocessor.
  • the output of the multiplexer is linked to the data bus DB.
  • the multiplexer receives at a selection input the error signal ERS produced by the securisation device MU, and its output supplies the dummy binary data if the error signal ERS is on the active value or the content of the register if the error signal ERS is on the inactive value.
  • the error signal ERS is activated and the multiplexer MUX, in response to the register OUTREG being read selected, supplies the dummy data on the bus BD instead of the data present in the register OUTREG.
  • a buffer circuit BUF is arranged between the output of the multiplexer MUX and the data bus DB.
  • the circuit BUF receives at a command input the selection signal SELREGi corresponding to the register OUTREG and the signal RW.
  • the output of the circuit BUF is by default in a high impedance state and becomes transparent relative to the input of the circuit BUF when the register OUTREG is read selected, to connect the output of the multiplexer MUX to the bus DB.
  • the outputs of the registers are by default in the high impedance state, while the registers are not read selected.
  • each register to be protected is equipped with a multiplexer and a buffer circuit like the ones described above.
  • These protection elements can also be integrated into the registers themselves, a classical register structure generally comprising a buffer-type or latch-type output stage. A multiplexer or any other means of scrambling data can thus be arranged before this output stage.
  • FIG. 3 represents an example of an embodiment of the securisation device MU.
  • the device MU comprises a hard-wired logic signature calculation circuit SCCT comprising parallel inputs receiving the deterministic signals C i to C i+n , and an output supplying a current signature CCS.
  • the signature CCS is sent back to an input of the circuit SCCT for the latter to calculate, at the pace of a clock signal CK which can be the clock signal of the CPU, a next cumulative signature that replaces the current cumulative signature at each new cycle of the clock signal.
  • the current signature CCS is applied to an input of a comparator COMP the other input of which receives an expected signature WS, supplied here by a dedicated register REFREG of the coprocessor ( FIGS. 2 and 3 ).
  • the expected signature WS is for example written in the register REFREG by the CPU after the latter has loaded the command to be executed into the register COMREG and before it positions the flag RUN in the register STATREG.
  • the coprocessor is equipped with a table or a bank of registers comprising a plurality of expected signatures, each one varying according to a command in a set of commands of the coprocessor, and the expected signature WS is selected by the coprocessor or the device MU according to the command received, before starting to execute the command.
  • the comparator COMP comprises an inverting output that delivers the internal error signal ERS. This is here equal to “1” (active value) while the current signature CCS is different from the expected signature WS.
  • the calculated signature is different from the expected value and the error signal ERS is on “1”. Any attempt to read the register OUTREG results in the dummy data being supplied on the data bus, while the execution of the command is not finished (because the expected signature is not yet obtained) or even after the processing of the command if this processing has not taken place as expected (the expected signature thus never being obtained).
  • FIG. 4 shows an example of an embodiment of the circuit SCCT in the form of a linear feedback shift register LFSR.
  • the circuit SCCT comprises a logic circuit PLCT and a signature register SREG with parallel input and output.
  • the circuit PLCT executes a signature function Fs and comprises inputs receiving the control signals C i to C i+n applied at input of the securisation device MU, as well as an input receiving a current cumulative signature CCS.
  • a securisation device enabling the integrated circuit to be taken by default into an error mode during the execution of a command by the coprocessor, and access to units of the coprocessor to be prevented while the circuit is in error mode.
  • the securisation device MU was described above as an element distinct from the control block FSM, it can be integrated into the control block and additional capabilities relating to security can be provided.
  • the block FSM is arranged for verifying that the internal error signal ERS is on the active value before initiating the execution of a command. If that is not the case, the block FSM forces the external error signal ERS to the active value and can put itself into a determined state that it can only leave after the coprocessor has been completely reset.
  • the smooth execution of the command can furthermore be monitored in several ways, for example by applying control techniques mentioned in the preamble, based on a redundancy of the data paths present in the calculation unit of the coprocessor, or by combining such techniques with the one based on producing signatures varying according to deterministic signals.
  • coprocessor within the meaning of the present invention must be understood in a non-limitative manner.
  • a non-limiting example of a coprocessor within the meaning of the present invention is a hard-wired logic circuit provided for executing specific operations in response to a command supplied to it.
  • hard-wired logic circuits controlling data or address buses in microprocessors or microcontrollers uior which control access to memories, and which comprise “sensitive” units that are to be protected against intrusions at least during the execution of certain operations triggered by specific commands.

Abstract

The present invention relates to a coprocessor comprising a calculation unit for executing a command, and a securisation device for monitoring the execution of the command and supplying an error signal having an active value as soon as the execution of the command begins and an inactive value at the end of the execution of the command, if no abnormal progress in the execution of the command has been detected. The coprocessor further comprises means for preventing access to at least one unit of the coprocessor, while the error signal is on the active value. Application is provided particularly but not exclusively to the protection of integrated circuits for smart cards against attacks by fault injection.

Description

    TECHNICAL FIELD
  • The present disclosure generally relates to the protection of integrated circuits, such as integrated circuits for smart cards, against attacks by error injection.
  • The present disclosure relates more particularly but not exclusively to a method for monitoring the execution by a coprocessor of commands sent in particular by a microprocessor, as well as an integrated circuit comprising a coprocessor comprising means for monitoring the execution of commands.
    • BACKGROUND INFORMATION
  • A coprocessor is a specific component designed to perform calculations particularly to offload the microprocessor to which it is coupled. It is generally driven by the microprocessor which communicates with it through registers to load calculation data, to configure it and finally to retrieve the results of the calculations and to be informed of the end of the calculations. A coprocessor generally comprises a control block comprising an interface with the data bus of the microprocessor and a state machine pacing the progress of the calculations, and a calculation unit controlled by the control block (also called “data path”).
  • In secured integrated circuits, such as those designed for smart cards, coprocessors are particularly used to perform cryptographic calculations, and thus handle secret keys. These coprocessors are therefore the targets of attacks aiming to discover these keys.
  • In recent years, the techniques of hacking secured microprocessor integrated circuits (e.g., microprocessors, microcontrollers, microprocessor memories, coprocessors, etc.) have developed considerably. The most advanced hacking methods currently involve injecting errors at determined points of an integrated circuit during the execution of so-called sensitive operations, such as authentication operations or operations of executing a cryptography algorithm for example. Such attacks by error injection, also referred to as attacks by fault injection, enable, in combination with mathematical models, the structure of a cryptography algorithm and/or the secret keys it uses to be deduced. The fault injection can be done in various ways, by introducing glitches into the supply voltage of the integrated circuit, by introducing glitches into the clock signal of the integrated circuit, by exposing the integrated circuit to radiations, etc.
  • Thus, the detection of error injections is considered one important measure to guarantee a high level of security to certain integrated circuits, particularly integrated circuits for smart cards.
  • A method for monitoring the execution of a program is already known, particularly through EP 1,161,725, which involves producing cumulative signatures that vary according to the codes-instructions that run in the instruction register of a microprocessor. Such a method enables a derailment of the program being executed, particularly due to an error injection, to be detected.
  • However, one type of attack against which a microprocessor integrated circuit must be protected is the injection of errors into the data supplied to a peripheral element, particularly a cryptographic coprocessor (which is generally integrated onto the same silicon chip as the microprocessor). Now, the monitoring of a derailment during the execution of a program by a microprocessor does not enable an attack on the related coprocessor to be detected, due to the fact that the latter processes each command sent by the microprocessor without interacting with the microprocessor before the end of the processing.
  • Techniques for detecting an attack on a coprocessor do exist. One of these techniques involves running several times the calculation to be performed corresponding to the command received, then comparing the results obtained. If these results are identical, it can be deduced that no attack has occurred. In this way, to make a successful attack, the error injection must be repeated several times, and in an identical manner in terms of its effects and temporal aspects. This technique multiplies the calculation times by the number of iterations, which is a major disadvantage. Further, if an error is highlighted in connection with the state of a state machine, the injection of a fault can result in skipping a state, and thus in masking the error.
  • Another technique involves providing an additional fault injection detection logic circuit. Regarding the calculation unit that has no deterministic properties since the data processed are not predictable, redundant data paths are provided and the identity of the signals in the redundant paths is compared on the fly. The detection of a difference between two redundant signals triggers the activation of an error signal. Regarding the control block which has a deterministic aspect, a signature circuit is used which calculates a signature, throughout the operation performed by the coprocessor, using certain control signals controlling the calculation unit. At the end of the calculation, the calculated signature is compared with an expected value and, if a difference is detected, revealing a fault injection, an alert signal is activated. Now, the comparison, whether performed by software or by a circuit, can be bypassed by an appropriate fault injection. This technique thus has a flaw.
    • BRIEF SUMMARY OF THE INVENTION
  • Embodiments of the present invention aim to overcome these disadvantages.
  • Therefore, a first embodiment of the present invention puts the coprocessor into an error mode by default as soon as the execution of a command begins, and maintains the error mode while the smooth execution of the command is not confirmed, including when the execution of the command is finished if it has not taken place as expected.
  • Another embodiment of the present invention prevents access to certain units of the coprocessor while the error mode is present. An embodiment of the present invention is indeed based on the observation that a voluntary fault injection is generally accompanied by access to “sensitive” units of the coprocessor, such as an output register for example, which enables the fraudor to observe the effects of the fault injection and to deduce information about the coprocessor or secret data it uses therefrom.
  • Thus, blocking access to “sensitive” units of the coprocessor, combined with the fact of putting it into an error mode by default which can only be lifted if the command has been correctly executed, provides a high level of security.
  • More particularly, one embodiment of the present invention provides a method for monitoring the execution of a command by a coprocessor, comprising:
  • producing, at the start of the execution of the command, an error signal having an active value,
  • during the execution of the command, monitoring the operation of the coprocessor so as to detect any abnormal progress in the execution of the command,
  • at the end of the execution of the command, taking the error signal to an inactive value unless any abnormal progress in the execution of the command has been detected, and
  • preventing access to at least one unit to be protected of the coprocessor, while the error signal is on an active value.
  • According to one embodiment, the unit to be protected comprises at least one register of the coprocessor.
  • According to one embodiment, the register is read protected.
  • According to one embodiment, the register is read protected by supplying the output of the register with dummy binary data bearing no relation to the content of the register, in response to a request to read the register.
  • According to one embodiment, the method comprises producing, in synchronization with a clock signal, current cumulative signatures, each current cumulative signature varying according to a previous cumulative signature and to deterministic logic signals taken off in the coprocessor, until a final cumulative signature is obtained at the end of the execution of the command, and maintaining the error signal on the active value when the cumulative signature is different from an expected signature.
  • According to one embodiment, the production of the signatures is paced by a clock signal of the coprocessor, one current cumulative signature being produced at each clock cycle during the execution of the command.
  • According to one embodiment, the deterministic logic signals comprise control signals produced by a control unit of the coprocessor.
  • According to one embodiment, the cumulative signatures are calculated by a linear feedback shift register.
  • According to one embodiment, the expected signature is read in a dedicated register of the coprocessor.
  • According to one embodiment, the expected signature is selected from a plurality of expected signatures each corresponding to a command executable by the coprocessor.
  • An embodiment of the present invention also relates to a coprocessor comprising a calculation unit for executing a command, a securisation device for monitoring the execution of the command and producing an error signal having an active value as soon as the execution of the command begins, and an inactive value at the end of the execution of the command unless any abnormal progress in the execution of the command has been detected, and protection means for preventing access to at least one unit to be protected of the coprocessor, while the error signal is on the active value.
  • According to one embodiment, the protection means are arranged for preventing access to at least one register of the coprocessor.
  • According to one embodiment, the protection means are arranged for preventing read access to at least one register of the coprocessor.
  • According to one embodiment, the protection means comprise means for supplying the output of the register with dummy binary data bearing no relation to the content of the register, in response to a request to read the register.
  • According to one embodiment, the securisation device comprises a signature calculation circuit receiving at input deterministic logic signals taken off in the coprocessor and producing a current cumulative signature according to the deterministic logic signals and to a previous cumulative signature, until a final cumulative signature is obtained at the end of the execution of the command, and comparison means for comparing the current cumulative signature and an expected signature, taking the error signal to the active value when the current cumulative signature is different from the expected signature.
  • According to one embodiment, the coprocessor comprises a control unit producing the control signals, and the deterministic logic signals comprise control signals produced by the control unit.
  • According to one embodiment, the signature calculation circuit is paced by a clock signal and calculates a current cumulative signature at each clock cycle.
  • According to one embodiment, the signature calculation circuit comprises a linear feedback shift register.
  • According to one embodiment, the coprocessor comprises a dedicated register for storing the expected signature.
  • According to one embodiment, the coprocessor comprises means for selecting the expected signature from a plurality of pre-recorded expected signatures each corresponding to a command executable by the coprocessor.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • These and other features of the present invention will be explained in greater detail in the following description of one or more examples of a coprocessor according to various embodiments of the present invention, given in relation with, but not limited to the following figures:
  • FIG. 1 schematically represents one example architecture of a microprocessor integrated circuit comprising a coprocessor,
  • FIG. 2 is a more detailed view, in the form of a block diagram of an example coprocessor comprising a securisation device according to an embodiment of the present invention,
  • FIG. 3 represents an example of an embodiment of the securisation device, and
  • FIG. 4 represents an embodiment of an element of the securisation device in greater detail.
    • DETAILED DESCRIPTION
  • In the following description, numerous specific details are given to provide a thorough understanding of embodiments. One skilled in the relevant art will recognize, however, that the invention can be practiced without one or more of the specific details, or with other methods, components, materials, etc. In other instances, well-known structures, materials,,or operations are not shown or described in detail to avoid obscuring aspects of the invention.
  • Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
  • FIG. 1 represents one example architecture of an integrated circuit IC of the microprocessor or microcontroller type. The integrated circuit IC classically comprises a central processing unit CPU and peripheral elements of the CPU, here memories MEM1, MEM2, MEM3, a register bank REGBANK, and a coprocessor CP, dedicated for example to cryptographic calculation. The memory MEM1 is for example a non-volatile memory of ROM type (read-only memory), the memory MEM2 is an electrically erasable and programmable memory of EEPROM type, and the memory MEM3 a volatile memory of RAM type.
  • The peripheral elements are linked to the CPU by a data bus DB, an address bus AB and a control bus CB. “Control bus” can include a set of wires conveying selection or information signals sent by the CPU to the peripheral elements, or vice-versa. The bus CB particularly conveys a read or write signal RW and a signal FETCH sent by the CPU during the reading of a code-instruction in one of the program memories.
  • The coprocessor CP comprises several registers linked to the data bus DB, here input INREG and output OUTREG registers enabling data to be exchanged with the CPU, a register COMREG enabling a command to be executed to be received from the CPU, and a state register STATREG supplying information about the state of the coprocessor. The register STATREG comprises a bit RB (Ready/Busy) enabling the CPU to determine whether the coprocessor is busy or ready to receive a new command to be executed, and a bit RUN enabling the CPU to start the execution of a command once the code of the command has been written in the register COMREG. To start the execution of a command loaded into the register COMREG, the coprocessor positions the bit RUN to a determined logic value. When the processing of the command is finished, the coprocessor positions the bit RB to the “ready” logic state and resets the bit RUN. By monitoring the state of the bit RB, periodically for example, the CPU can determine when the coprocessor has finished the execution of the command. Alternatively, the coprocessor can be designed to send an interrupt signal ITR when it has finished processing the command, this signal being applied to an interrupt input of the CPU.
  • As represented in FIG. 2, one embodiment of the coprocessor CP comprises an address decoder ADDEC linked to the address bus AB and supplying selection signals SELREGi for selecting a register according to the address sent on the bus AB, each of these signals being applied to a selection input SEL of one of the registers INREG, COMREG, STATREG, OUTREG. The signal RW is also applied to the registers, to select a read or write access mode.
  • The coprocessor CP also comprises a calculation unit CU driven by a control block FSM. The latter is produced here in the form of a finite state machine paced by a clock signal, such as the clock signal CK of the CPU for example, and is designed to determine a current state according to a previous state and to input signals proceeding for example from the registers COMREG and STATREG. A set of control signals C1 to Cm supplied by the control block FSM corresponds to each state of the control block FSM, these control signals being applied in whole or part to the calculation unit CU.
  • The calculation unit CU processes input data proceeding from the input register INREG according to the control signals C1 to Cm, and delivers output data that are written in registers of the coprocessor such as the output register OUTREG for example. At the end of the calculation corresponding to the processing of the command supplied by the CPU in the register COMREG, the control block FSM can deliver the interrupt signal ITR to inform the CPU that the processing is finished.
  • The coprocessor CP also comprises a securisation device MU according to one embodiment of the present invention, which monitors the operation of the coprocessor during the execution of a command, so as to detect any abnormal progress in the execution of the command, due in particular to an error injection. To this end, the device MU uses for example deterministic signals Ci to Ci+n taken off from the control signals C1 to Cm supplied by the control block FSM. These signals are deterministic (predictable) in that they only depend on the command being executed by the coprocessor, and thus enable the smooth execution of the command to be monitored.
  • To avoid the information concerning the detection of an attack being masked by a fault injection, the device MU activates an internal error signal ERS as soon as the execution of the command begins, and deactivates it at the end of the processing of the command, unless any abnormal progress in the execution of the command has been detected.
  • The coprocessor CP also comprises means for preventing access to certain units to be protected while the error signal ERS is active. Access to these units is therefore only possible when the error signal has been deactivated, e.g., at the end of the processing of the command if such processing has taken place normally.
  • As an example, the unit to be protected is here the output register OUTREG. More particularly, the register OUTREG is here read protected and this protection is obtained here by providing a scrambling of the data it supplies in response to a read request (resulting in the appearance of the address of this register on the data bus, the activation of the signal SELREGi corresponding to this register by the decoder ADDEC and the fact that the signal RW is on or changes to the “read” value on the control bus).
  • To this end, the coprocessor comprises a multiplexer MUX receiving the output of the register OUTREG at one input and at another input dummy binary data bearing no relation to the content of the register, such as random data for example or signals taken off in the coprocessor. The output of the multiplexer is linked to the data bus DB. The multiplexer receives at a selection input the error signal ERS produced by the securisation device MU, and its output supplies the dummy binary data if the error signal ERS is on the active value or the content of the register if the error signal ERS is on the inactive value.
  • Thus, while the execution of the command is not finished or if a fault is detected in the processing of the command, the error signal ERS is activated and the multiplexer MUX, in response to the register OUTREG being read selected, supplies the dummy data on the bus BD instead of the data present in the register OUTREG.
  • So as not to permanently apply the dummy data on the bus when the signal ERS is active, a buffer circuit BUF is arranged between the output of the multiplexer MUX and the data bus DB. The circuit BUF receives at a command input the selection signal SELREGi corresponding to the register OUTREG and the signal RW. The output of the circuit BUF is by default in a high impedance state and becomes transparent relative to the input of the circuit BUF when the register OUTREG is read selected, to connect the output of the multiplexer MUX to the bus DB.
  • Similarly, the outputs of the registers are by default in the high impedance state, while the registers are not read selected.
  • If several registers must be read protected, the output of each register to be protected is equipped with a multiplexer and a buffer circuit like the ones described above. These protection elements can also be integrated into the registers themselves, a classical register structure generally comprising a buffer-type or latch-type output stage. A multiplexer or any other means of scrambling data can thus be arranged before this output stage.
  • It shall be noted that if the CPU must monitor the end of the processing performed by the coprocessor by periodically reading the state register STATREG, this register must not be read protected.
  • FIG. 3 represents an example of an embodiment of the securisation device MU.
  • The device MU comprises a hard-wired logic signature calculation circuit SCCT comprising parallel inputs receiving the deterministic signals Ci to Ci+n, and an output supplying a current signature CCS. The signature CCS is sent back to an input of the circuit SCCT for the latter to calculate, at the pace of a clock signal CK which can be the clock signal of the CPU, a next cumulative signature that replaces the current cumulative signature at each new cycle of the clock signal.
  • The current signature CCS is applied to an input of a comparator COMP the other input of which receives an expected signature WS, supplied here by a dedicated register REFREG of the coprocessor (FIGS. 2 and 3). The expected signature WS is for example written in the register REFREG by the CPU after the latter has loaded the command to be executed into the register COMREG and before it positions the flag RUN in the register STATREG. Alternatively, the coprocessor is equipped with a table or a bank of registers comprising a plurality of expected signatures, each one varying according to a command in a set of commands of the coprocessor, and the expected signature WS is selected by the coprocessor or the device MU according to the command received, before starting to execute the command.
  • The comparator COMP comprises an inverting output that delivers the internal error signal ERS. This is here equal to “1” (active value) while the current signature CCS is different from the expected signature WS.
  • Thus, while the processing of the command is not finished, the calculated signature is different from the expected value and the error signal ERS is on “1”. Any attempt to read the register OUTREG results in the dummy data being supplied on the data bus, while the execution of the command is not finished (because the expected signature is not yet obtained) or even after the processing of the command if this processing has not taken place as expected (the expected signature thus never being obtained).
  • FIG. 4 shows an example of an embodiment of the circuit SCCT in the form of a linear feedback shift register LFSR. The circuit SCCT comprises a logic circuit PLCT and a signature register SREG with parallel input and output. The circuit PLCT executes a signature function Fs and comprises inputs receiving the control signals Ci to Ci+n applied at input of the securisation device MU, as well as an input receiving a current cumulative signature CCS. The output of the circuit PLCT supplies to the input of the register SREG a next cumulative signature NCS that varies according to the current cumulative signature CCS and to the signals applied to its others inputs, e.g.:
    NCS=Fs(CCS, C i , . . . , C i+n)  (1)
    Upon each new clock cycle CK, the register SREG copies to its output the signature present at its input, such that the next signature supplied by the circuit PLCT during the previous clock cycle becomes the current signature, and the current signature of the previous clock cycle becomes the previous signature PCS, e.g.:
    CCS=Fs(PCS, C i , . . . , C i+n)  (2)
    the relation (2) being equivalent to the relation (1) seen from the output of the register SREG.
  • For the sake of simplicity, various signals that can easily be provided by those skilled in the art have not been described above, only the signals required to understand embodiments of the present invention having been mentioned.
  • It will be understood by those skilled in the art that various alternative embodiments and improvements of the present invention are possible.
  • Generally speaking, those skilled in the art will be able to provide other embodiments of a securisation device enabling the integrated circuit to be taken by default into an error mode during the execution of a command by the coprocessor, and access to units of the coprocessor to be prevented while the circuit is in error mode.
  • Furthermore, although the securisation device MU was described above as an element distinct from the control block FSM, it can be integrated into the control block and additional capabilities relating to security can be provided.
  • In particular, in one embodiment, the block FSM is arranged for verifying that the internal error signal ERS is on the active value before initiating the execution of a command. If that is not the case, the block FSM forces the external error signal ERS to the active value and can put itself into a determined state that it can only leave after the coprocessor has been completely reset.
  • Furthermore, it goes without saying that the logic values described above corresponding to the active state of the signals only have a relative value.
  • The smooth execution of the command can furthermore be monitored in several ways, for example by applying control techniques mentioned in the preamble, based on a redundancy of the data paths present in the calculation unit of the coprocessor, or by combining such techniques with the one based on producing signatures varying according to deterministic signals.
  • Finally, the notion of coprocessor within the meaning of the present invention must be understood in a non-limitative manner. Generally speaking, a non-limiting example of a coprocessor within the meaning of the present invention is a hard-wired logic circuit provided for executing specific operations in response to a command supplied to it. Thus, it is possible for example to secure by one or more embodiments of the present invention hard-wired logic circuits controlling data or address buses in microprocessors or microcontrollers uior which control access to memories, and which comprise “sensitive” units that are to be protected against intrusions at least during the execution of certain operations triggered by specific commands.
  • All of the above U.S. patents, U.S. patent application publications, U.S. patent applications, foreign patents, foreign patent applications and non-patent publications referred to in this specification and/or listed in the Application Data Sheet, are incorporated herein by reference, in their entirety.
  • The above description of illustrated embodiments, including what is described in the Abstract, is not intended to be exhaustive or to limit the invention to the precise forms disclosed. While specific embodiments and examples are described herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention and can be made without deviating from the spirit and scope of the invention.
  • These and other modifications can be made to the invention in light of the above detailed description. The terms used in the following claims should not be construed to limit the invention to the specific embodiments disclosed in the specification and the claims. Rather, the scope of the invention is to be determined entirely by the following claims, which are to be construed in accordance with established doctrines of claim interpretation.

Claims (29)

1. A method for monitoring an execution of a command by a coprocessor, the method comprising:
producing, at a start of the execution of the command, an error signal having an active value;
during the execution of the command, monitoring operation of the coprocessor so as to detect any abnormal progress in the execution of the command;
at an end of the execution of the command, taking the error signal to an inactive value unless any abnormal progress in the execution of the command has been detected; and
preventing access to at least one unit to be protected of the coprocessor, while the error signal is on the active value.
2. The method according to claim 1 wherein the unit to be protected comprises at least one register of the coprocessor.
3. The method according to claim 2 wherein the register is read protected.
4. The method according to claim 3 wherein the register is read protected by supplying an output of the register with dummy binary data bearing no relation to content of the register, in response to a request to read the register.
5. The method according to claim 1, further comprising:
producing, in synchronization with a clock signal, current cumulative signatures, each current cumulative signature varying according to a previous cumulative signature and to deterministic logic signals, until a final cumulative signature is obtained at the end of the execution of the command; and
maintaining the error signal on the active value if the cumulative signature is different from an expected signature.
6. The method according to claim 5 wherein production of the signatures is paced by a clock signal of the coprocessor, one current cumulative signature being produced at each clock cycle during the execution of the command.
7. The method according to claim 5 wherein the deterministic logic signals comprise control signals produced by a control unit of the coprocessor.
8. The method according to claim 5 wherein the cumulative signatures are calculated by a linear feedback shift register.
9. The method according to claim 5 wherein the expected signature is read in a dedicated register of the coprocessor.
10. The method according to claim 5 wherein the expected signature is selected from a plurality of expected signatures each corresponding to a command executable by the coprocessor.
11. A coprocessor having a calculation unit for executing a command, the coprocessor comprising:
a securisation device for monitoring an execution of the command and for producing an error signal having an active value at a beginning of the execution of the command, and having an inactive value at an end of the execution of the command unless any abnormal progress in the execution of the command has been detected; and
protection means for preventing access to at least one unit to be protected of the coprocessor, while the error signal is on the active value.
12. The coprocessor according to claim 11 wherein the protection means are arranged for preventing access to at least one register of the coprocessor.
13. The coprocessor according to claim 11 wherein the protection means are arranged for preventing read access to at least one register of the coprocessor.
14. The coprocessor according to claim 12 wherein the protection means comprise means for supplying an output of the register with dummy binary data bearing no relation to content of the register, in response to a request to read the register.
15. The coprocessor according to claim 11 wherein the securisation device comprises:
a signature calculation circuit receiving at input deterministic logic signals and producing a current cumulative signature according to the deterministic logic signals and to a previous cumulative signature, until a final cumulative signature is obtained at the end of the execution of the command; and
comparison means for comparing the current cumulative signature and an expected signature, taking the error signal to the active value if the current cumulative signature is different from the expected signature.
16. The coprocessor according to claim 15, further comprising a control unit producing the control signals, and wherein the deterministic logic signals comprise control signals produced by the control unit.
17. The coprocessor according to claim 15 wherein the signature calculation circuit is paced by a clock signal and calculates a current cumulative signature at each clock cycle.
18. The coprocessor according to claim 15 wherein the signature calculation circuit comprises a linear feedback shift register.
19. The coprocessor according to claim 15, further comprising a dedicated register for storing the expected signature.
20. The coprocessor according to claim 15, further comprising means for selecting the expected signature from a plurality of pre-recorded expected signatures each corresponding to a command executable by the coprocessor.
21. An apparatus having a coprocessor, the apparatus comprising:
a calculation unit to execute a command;
a device operatively coupled to the calculation unit to monitor execution of the command and to produce an error signal having an active value at a beginning of the execution of the command, the error signal having an inactive value at an end of the execution of the command unless an abnormal progress in the execution of the command has been detected; and
protection circuitry coupled to the device to prevent access to at least one unit to be protected of the coprocessor, if the error signal has the active value.
22. The apparatus of claim 21 wherein the unit to be protected includes a register of the coprocessor, the protection circuitry being coupled to prevent read access to the register if the error signal has the active value.
23. The apparatus of claim 22 wherein the protection circuitry includes:
a multiplexer coupled to a bus to supply dummy data to the bus instead of data present in the register if the error signal has the active value; and
a buffer, coupled between the multiplexer and the bus, that can be selectively controlled to provide the data present in the register to the bus if the error signal has the inactive value and to provide the dummy data from the multiplexer to the bus if the error signal has the active value.
24. The apparatus of claim 21 wherein the device includes:
a signature calculation circuit to receive input logic signals and to produce a current cumulative signature based on the logic signals and on a previous cumulative signature, until a final cumulative signature is obtained at the end of the execution of the command; and
a comparison circuit coupled to the signature calculation circuit to compare the current cumulative signature with a reference signature, the comparison circuit being coupled to provide the error signal with the active value if the current cumulative signature is different from the reference signature.
25. A system, comprising:
a processor;
a bus coupled to the processor; and
a coprocessor coupled to the processor through the bus, the coprocessor including:
a calculation unit to execute a command;
a device operatively coupled to the calculation unit to monitor execution of the command and to produce an error signal having a value that is based on whether an abnormal condition associated with the execution of the command has been detected; and
protection circuitry coupled to the device to prevent access to at least one unit to be protected of the coprocessor, if the error signal has the active value.
26. The system of claim 25 wherein the error signal has an active value at a beginning of the execution of the command and has an inactive value at an end of the execution of the command unless the abnormal condition associated with the execution of the command has been detected.
27. The system of claim 25 wherein the processor and coprocessor comprise part of a smart card device.
28. The system of claim 25 wherein the protection circuitry includes:
a first circuit coupled to the bus to supply dummy data to the bus instead of register data if the error signal has a first value; and
a second circuit, coupled between the first circuit and the bus, that can be selectively controlled to provide the register data to the bus if the error signal has a second value and to provide the dummy data from the first circuit to the bus if the error signal has the first value.
29. The system of claim 25 wherein the device includes:
a first circuit block to receive input logic signals and to produce a current cumulative signature based on the logic signals and on a previous cumulative signature, until a final cumulative signature is obtained at the end of the execution of the command; and
a second circuit block coupled to the first circuit block to compare the current cumulative signature with a reference signature, the second circuit block being coupled to provide the error signal with a value indicative of the abnormal condition if the current cumulative signature is different from the reference signature.
US11/398,857 2005-04-05 2006-04-05 Secured coprocessor comprising means for preventing access to a unit of the coprocessor Expired - Fee Related US7934265B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0503329A FR2884000A1 (en) 2005-04-05 2005-04-05 Cryptographic coprocessor control execution monitoring method for integrated circuit, involves carrying error signal if abnormal flow of execution is detected and preventing access to register as long as signal is given with active value
FR0503329 2005-04-05

Publications (2)

Publication Number Publication Date
US20060265570A1 true US20060265570A1 (en) 2006-11-23
US7934265B2 US7934265B2 (en) 2011-04-26

Family

ID=35064731

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/398,857 Expired - Fee Related US7934265B2 (en) 2005-04-05 2006-04-05 Secured coprocessor comprising means for preventing access to a unit of the coprocessor

Country Status (3)

Country Link
US (1) US7934265B2 (en)
EP (1) EP1710700A3 (en)
FR (1) FR2884000A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070075732A1 (en) * 2005-10-04 2007-04-05 Fruhauf Serge F System and method for using dummy cycles to mask operations in a secure microcontroller
US20070159882A1 (en) * 2005-04-21 2007-07-12 Stmicroelectronics S.A. Protection of the flow of a program executed by an integrated circuit or of data contained in this circuit
US9104890B2 (en) 2012-07-12 2015-08-11 Samsung Electronics Co., Ltd. Data processing device and a secure memory device including the same
CN109891425A (en) * 2016-08-04 2019-06-14 耐瑞唯信有限公司 Sequence verification

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2946787A1 (en) * 2009-06-16 2010-12-17 St Microelectronics Rousset METHOD FOR DETECTING ATTACK BY FAULT INJECTION OF A MEMORY DEVICE, AND CORRESPONDING MEMORY DEVICE

Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4760575A (en) * 1985-06-04 1988-07-26 Toppan Moore Company, Ltd IC card having fault checking function
US4996691A (en) * 1988-09-21 1991-02-26 Northern Telecom Limited Integrated circuit testing method and apparatus and integrated circuit devices for use therewith
US5184032A (en) * 1991-04-25 1993-02-02 Texas Instruments Incorporated Glitch reduction in integrated circuits, systems and methods
US5357146A (en) * 1992-12-31 1994-10-18 At&T Bell Laboratories Glitch-free clock multiplexer
US5659678A (en) * 1989-12-22 1997-08-19 International Business Machines Corporation Fault tolerant memory
US5694402A (en) * 1996-10-22 1997-12-02 Texas Instruments Incorporated System and method for structurally testing integrated circuit devices
US5949798A (en) * 1996-02-06 1999-09-07 Nec Corporation Integrated circuit fault testing system based on power spectrum analysis of power supply current
US5974529A (en) * 1998-05-12 1999-10-26 Mcdonnell Douglas Corp. Systems and methods for control flow error detection in reduced instruction set computer processors
US6205559B1 (en) * 1997-05-13 2001-03-20 Nec Corporation Method and apparatus for diagnosing failure occurrence position
US6357024B1 (en) * 1998-08-12 2002-03-12 Advanced Micro Devices, Inc. Electronic system and method for implementing functional redundancy checking by comparing signatures having relatively small numbers of signals
US6424926B1 (en) * 2000-03-31 2002-07-23 Intel Corporation Bus signature analyzer and behavioral functional test method
US20020133773A1 (en) * 1999-09-23 2002-09-19 Michael Richter Method and configuration for protecting data during a self-test of a microcontroller
US6457145B1 (en) * 1998-07-16 2002-09-24 Telefonaktiebolaget Lm Ericsson Fault detection in digital system
US6549022B1 (en) * 2000-06-02 2003-04-15 Sandia Corporation Apparatus and method for analyzing functional failures in integrated circuits
US20030085621A1 (en) * 1997-11-17 2003-05-08 Potega Patrick Henry Power supply methods and configurations
US6601008B1 (en) * 2001-08-02 2003-07-29 Lsi Logic Corporation Parametric device signature
US20030204801A1 (en) * 2002-04-30 2003-10-30 Motorola, Inc. Method and apparatus for secure scan testing
US6654465B2 (en) * 1997-09-16 2003-11-25 Safenet, Inc. Method of implementing a key recovery system
US20030226082A1 (en) * 2002-05-31 2003-12-04 Samsung Electronics Co., Ltd. Voltage-glitch detection device and method for securing integrated circuit device from voltage glitch attack
US6714032B1 (en) * 2000-04-25 2004-03-30 Agere System Inc. Integrated circuit early life failure detection by monitoring changes in current signatures
US6751749B2 (en) * 2001-02-22 2004-06-15 International Business Machines Corporation Method and apparatus for computer system reliability
US20040139346A1 (en) * 2002-11-18 2004-07-15 Arm Limited Exception handling control in a secure processing system
US6766485B1 (en) * 1999-09-27 2004-07-20 Nec Electronics Corporation Integrated circuit fault tester, integrated circuit fault test method and recording medium recorded with fault test control program
US20050273848A1 (en) * 2004-06-01 2005-12-08 Olivier Charles Procedure for controlling access to a source terminal network using a block mode tunnel and computer programs for its implementation
US20060267653A1 (en) * 2005-05-25 2006-11-30 Honeywell International Inc. Single-event-effect hardened circuitry
US7168065B1 (en) * 1999-03-09 2007-01-23 Gemplus Method for monitoring program flow to verify execution of proper instructions by a processor

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2311152A (en) 1996-03-11 1997-09-17 Vlsi Technology Inc Dual mode security architecture with protected internal operating system
JP3625340B2 (en) * 1996-09-19 2005-03-02 株式会社東芝 Security system

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4760575A (en) * 1985-06-04 1988-07-26 Toppan Moore Company, Ltd IC card having fault checking function
US4996691A (en) * 1988-09-21 1991-02-26 Northern Telecom Limited Integrated circuit testing method and apparatus and integrated circuit devices for use therewith
US5659678A (en) * 1989-12-22 1997-08-19 International Business Machines Corporation Fault tolerant memory
US5184032A (en) * 1991-04-25 1993-02-02 Texas Instruments Incorporated Glitch reduction in integrated circuits, systems and methods
US5357146A (en) * 1992-12-31 1994-10-18 At&T Bell Laboratories Glitch-free clock multiplexer
US5949798A (en) * 1996-02-06 1999-09-07 Nec Corporation Integrated circuit fault testing system based on power spectrum analysis of power supply current
US5694402A (en) * 1996-10-22 1997-12-02 Texas Instruments Incorporated System and method for structurally testing integrated circuit devices
US6205559B1 (en) * 1997-05-13 2001-03-20 Nec Corporation Method and apparatus for diagnosing failure occurrence position
US6654465B2 (en) * 1997-09-16 2003-11-25 Safenet, Inc. Method of implementing a key recovery system
US20030085621A1 (en) * 1997-11-17 2003-05-08 Potega Patrick Henry Power supply methods and configurations
US5974529A (en) * 1998-05-12 1999-10-26 Mcdonnell Douglas Corp. Systems and methods for control flow error detection in reduced instruction set computer processors
US6457145B1 (en) * 1998-07-16 2002-09-24 Telefonaktiebolaget Lm Ericsson Fault detection in digital system
US6357024B1 (en) * 1998-08-12 2002-03-12 Advanced Micro Devices, Inc. Electronic system and method for implementing functional redundancy checking by comparing signatures having relatively small numbers of signals
US7168065B1 (en) * 1999-03-09 2007-01-23 Gemplus Method for monitoring program flow to verify execution of proper instructions by a processor
US20020133773A1 (en) * 1999-09-23 2002-09-19 Michael Richter Method and configuration for protecting data during a self-test of a microcontroller
US6766485B1 (en) * 1999-09-27 2004-07-20 Nec Electronics Corporation Integrated circuit fault tester, integrated circuit fault test method and recording medium recorded with fault test control program
US6424926B1 (en) * 2000-03-31 2002-07-23 Intel Corporation Bus signature analyzer and behavioral functional test method
US6714032B1 (en) * 2000-04-25 2004-03-30 Agere System Inc. Integrated circuit early life failure detection by monitoring changes in current signatures
US6549022B1 (en) * 2000-06-02 2003-04-15 Sandia Corporation Apparatus and method for analyzing functional failures in integrated circuits
US6751749B2 (en) * 2001-02-22 2004-06-15 International Business Machines Corporation Method and apparatus for computer system reliability
US6601008B1 (en) * 2001-08-02 2003-07-29 Lsi Logic Corporation Parametric device signature
US20030204801A1 (en) * 2002-04-30 2003-10-30 Motorola, Inc. Method and apparatus for secure scan testing
US20030226082A1 (en) * 2002-05-31 2003-12-04 Samsung Electronics Co., Ltd. Voltage-glitch detection device and method for securing integrated circuit device from voltage glitch attack
US20040139346A1 (en) * 2002-11-18 2004-07-15 Arm Limited Exception handling control in a secure processing system
US20050273848A1 (en) * 2004-06-01 2005-12-08 Olivier Charles Procedure for controlling access to a source terminal network using a block mode tunnel and computer programs for its implementation
US20060267653A1 (en) * 2005-05-25 2006-11-30 Honeywell International Inc. Single-event-effect hardened circuitry

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070159882A1 (en) * 2005-04-21 2007-07-12 Stmicroelectronics S.A. Protection of the flow of a program executed by an integrated circuit or of data contained in this circuit
US7593258B2 (en) * 2005-04-21 2009-09-22 Stmicroelectronics S.A. Protection of the flow of a program executed by an integrated circuit or of data contained in this circuit
US20070075732A1 (en) * 2005-10-04 2007-04-05 Fruhauf Serge F System and method for using dummy cycles to mask operations in a secure microcontroller
US7372290B2 (en) * 2005-10-04 2008-05-13 Stmicroelectronics, Inc. System and method for using dummy cycles to mask operations in a secure microcontroller
US9104890B2 (en) 2012-07-12 2015-08-11 Samsung Electronics Co., Ltd. Data processing device and a secure memory device including the same
CN109891425A (en) * 2016-08-04 2019-06-14 耐瑞唯信有限公司 Sequence verification

Also Published As

Publication number Publication date
US7934265B2 (en) 2011-04-26
EP1710700A2 (en) 2006-10-11
FR2884000A1 (en) 2006-10-06
EP1710700A3 (en) 2008-07-02

Similar Documents

Publication Publication Date Title
US7954153B2 (en) Secured coprocessor comprising an event detection circuit
US7584386B2 (en) Microprocessor comprising error detection means protected against an attack by error injection
WO2020037612A1 (en) Embedded program secure boot method, apparatus and device, and storage medium
US8184812B2 (en) Secure computing device with monotonic counter and method therefor
US10509568B2 (en) Efficient secure boot carried out in information processing apparatus
US20070237325A1 (en) Method and apparatus to improve security of cryptographic systems
US7822995B2 (en) Apparatus and method for protecting diagnostic ports of secure devices
EP2172866A1 (en) Information processor and tampering verification method
US7934265B2 (en) Secured coprocessor comprising means for preventing access to a unit of the coprocessor
KR20040106352A (en) Protection against memory attacks following reset
CN108108631A (en) A kind of root key processing method and relevant apparatus
TWI691842B (en) Secure memory access using memory read restriction
WO2020063975A1 (en) Partition protection method and apparatus for non-volatile memory
KR100972540B1 (en) Secure memory card with life cycle phases
US11328098B2 (en) Electronic circuit
JP2018169694A (en) Security device having tamper resistance against failure utilization attack
US7624442B2 (en) Memory security device for flexible software environment
US9507931B2 (en) Security device and controlling method thereof
JP6622360B2 (en) Information processing device
US20080228989A1 (en) Method and device for securing the reading of a memory
CN113486360B (en) RISC-V based safe starting method and system
JP7005676B2 (en) Safety devices and safety methods for monitoring system startup
WO2018040678A1 (en) Memory data protection method, integrated circuit chip, and storage medium
CN112015582B (en) Self-correcting memory system and method for providing error correction to memory content
US20070234149A1 (en) Checking the integrity of programs or the sequencing of a state machine

Legal Events

Date Code Title Description
AS Assignment

Owner name: STMICROELECTRONICS S.A., FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BANCEL, FREDERIC;BERARD, NICOLAS;REEL/FRAME:017979/0021

Effective date: 20060628

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20230426